This document discusses honeypots as a solution for internet-based data security. It defines honeypots as fake computer systems designed to collect data on intruders by appearing as legitimate systems. The document outlines different types of honeypots including production honeypots for organizations, research honeypots to study hacker tactics, and database honeypots to capture SQL injections. It also discusses low and high interaction honeypots, with low interaction simulating services and high interaction using whole systems. Finally, it introduces honey nets as networks of monitored high interaction honeypots simulating a production environment.

1. Seminar on
Information Security With HONEYPOTS
(An Internet Technology)
Presented By: Dhaivat Zala

2. What is Information Security ?
 Information Security is simply the process of keeping
information secure: protecting its availability, integrity, and
privacy.
 Effective Information Security incorporates security products,
technologies, policies and procedures.
 No collection of products alone can solve every Information Security
issue faced by an organization.
 More than just a set of technologies and reliance on proven industry
practices is required, although both are important.
 Products such as firewalls, Intrusion Detection Systems (IDS), and
vulnerability scanners alone are not sufficient to provide effective
Information Security.

3. [Three Main Issues that are not taken much
care]
1 – Lack of awareness: both at a corporate level and at an end user
level.
 This is meant that people who are existed on internet community are
not safe.
 In this sense, they must be aware of the risks that can happen to
them while providing personal information and sharing personal
traits on the internet.
 They are not enough educated about various threats on internet
now a days.
 such as online Scammers , viral attacks , cracking, Phishing ,
hacking Tactics.

4. [Three Main Issues that are not taken much
care] (Continued…)
2 – Complacency: This is another threat or say issue that is playing
major role in making data insecure.
 generally we never take much care or stay serious about our
information with us.
 but, for the other interested person or any hacker it’s the most
important opportunity to steal your data.
 In this issue normally user is satisfied and not being aware of future
risks that can come upon their data center or database.
 They generally are not having idea about various risks upon their
information that is to occur, sometimes even educated and IT
persons also do this mistake.

5. [Three Main Issues that are not taken much
care] (Continued…)
3 – No root cause analysis. Traditionally security solutions, whether
at the perimeter, server or client have focused on detection,
blocking and/or cleaning up the results of malicious software
infections but have not offered effective root-cause analysis.
 People need to know from where the malware is coming ? was it a
drive-by download ? , an infected USB drive, email, instant
messaging or something else ? It is not enough to say “Machine X
was infected with malware Y but I cleaned up for you, no need
to worry”
 In this case any company or their IT department must have
something like IDS( Intrusion Detection System) or proper firewall
set up.

6. Before attack takes place What sort
of steps is taken by attacker?
 Its not always easy to pick up an attacker.
 Because attacker is also a very much knowledgeable with sound
knowledge of computer hardware and operating systems.
 So before they attack they surely study our systems activities like
which services running , which is operating system and other
security software etc.
 They use certain tools that can help them to get information about
our system.
 The attacker must have knowledge of operating system because
through this he/she can learn or understand the vulnerabilities
exploit by the operating system.
 Into forthcoming slides we will be taking glimpses regarding some of
the software's functioning and how they are useful to any attacker.

7. Software that are used by attackers
TCPDUMP: This is a special type of software that’s used to call
usually a network sniffer.
 They used to sniff or record the network traffic and take decisions
accordingly.
The tcpdump program was written by Van Jacobson, Craig Leres,
and Steven McCanne, all of the Lawrence Berkeley Laboratory at
the University of California at Berkeley.
 Its basically a software that will view packet trace and decide a path
or say flow as well as it can detect vulnerability.
NMAP: This is another network scanning application that is used to
scan the activities during traffic.
 Nmap (Network Mapper) is a security scanner originally written by
Gordon Lyon (also known by his pseudonym Fyodor Vaskovich)
used to discover hosts and services on a computer network, thus
creating a "map" of the network. To accomplish its goal, Nmap
sends specially crafted packets to the target host and then analyzes
the responses.

8. Honey Pots The Solution for Internet Based
Data Security
• Honey Pots are fake computer systems, setup as a "decoy", that are
used to collect data on intruders.
• Decoy may be any vulnerable operating systems or any fake web
page that can be specially designed for information thieves or for
those people who wishes to theft the Information that is most
important to the organization or institution.
• A Honeypot, loaded with fake information, appears to the hacker to
be a legitimate machine.
• While it appears vulnerable to attack, it actually prevents access to
valuable data, administrative controls and other computers.
• Deception defenses can add an unrecognizable layer of protection.

9. Honeypot ( Continues… )
 In other sense honey pots are…
 “ A server that is configured to detect an intruder by mirroring
a real production system. It appears as an ordinary server
doing work, but all the data and transactions are phony.
Located either in or outside the firewall, the honey pot is used
to learn about an intruder's techniques as well as determine
vulnerabilities in the real system “
 If deployed correctly, a honey pot can serve as an early warning and
advanced security surveillance tool, minimizing the risks from
attacks on IT systems and networks.
 Honey pots can also analyze the ways in which attackers try to
compromise an information system, providing valuable insight into
potential system failures.

10. An Example of A Simple Honeypot

11. Another Setup of honey pots

12. How actual Honey Pot Works:
• As shown in the image previously it does two jobs simultaneously.
• One is to detect whether incoming packets or requests are coming
from malicious site or coming for malicious intent.
• Second after detection it will transfer the problematic packets or
requests to the decoy server.
• The transformation is done usually with normal networking tactics
that is through routers.
• It simulates the original server interface as if it’s the server to be
targeted.

13. What Makes Any System A Honeypot System.
• A Decoy System: Seems as if its original one rather then any
TRAP.
• Security Vulnerabilities: Attract a hacker for attack making security
vulnerable that means system is intentionally been kept insecure.
• Closely Monitored: This particular system is being under watch to
track the activities of the black hats (Black hats are basically type
of hackers who tries to crash or crack the network) and other
type of attacks also makes intensive study of their methodologies to
attack.
• Deceptive: Behaves as if normal system would looks and responds.
• Well Designed : The System is well designed in such a way that
any hackers or crackers or say black hats may never know whether
they are under inspection.

14. Deployment classification:
Honey pots
• After clearing up the basic concepts let us begin further discussion over its
types:
• There are lots of other types of honey pots are there:
 Production Honey pots
 Research Honey pots
 Database Honey pots
 Production Honey pots :
 These types of honey pots are easy to use, capture very limited amount
of information, And used primarily for organizations and corporations.
generally, they give less information about the attacker and attacks.
 This type of honey pots could be placed inside a network so that its easy
to implement with current network.
 why Production Honey pot: its just implemented to mitigate the risk of
organization’s internal network that is connected to outer network.

15. Deployment classification:
Honey pots (Continues…)
 Research Honey Pots: This is another type of honey pot which is
used to track malicious intent by BLACKHAT community.
 This is a type of honey pot which doesn’t add a value to the security
at the organization level because its just implemented to get
information about the tactics of BLACKHAT hackers and make use of
that information to provide better security policies to the
organizations.
 This type of honey pot is quite complex to implement in real sense
because we have to deploy totally whole architecture from real
platform to real servers everything.
 Its purpose is to track the tricks and tactics followed by general
hackers and BLACKHAT hackers.

16. Types Of Honey pots (Continues…)
Database Honey pots:
 Databases often get attacked by intruders using SQL Injection.
As such activities are not recognized by basic firewalls, companies
often use database firewalls for protection. Some of the available
SQL database firewalls provide/support honey pot architectures so
that the intruder runs against a trap database while the web
application remains functional.
 its basically intended by those people who directly wanted to
capture information from original database.
 And above used term called SQL Injection is a one type of
malicious code injection technique to insert unreliable SQL
statements to fetch confidential data or say simply attack on
DATABASE SERVERS.

17. Types according to level of interaction.
LOW INTERACTION HONEY POT
• Another classification exist according to level of workload or level of
interaction.
• Types of honey pots according to interaction:
 Low interaction
 High interaction
 Low Interaction Honey Pot (Honeyd): This is very low risk and
very low interaction honey pot.
Generally honey pots are resembled to a real system, like a normal
system for vulnerable to attack.
Secondly, this is not complete system with a full flagged
OPERATING SYSTEM and other componenents, rather then it just
simulates a several network services like HTTP,FTP ,Telnet etc.
 Disadvantages of this kind of system is that they are very easy to
identify because they are merely a simulator software.

18. Types according to level of interaction.
HIGH INTERACTION HONEY POT
 This is actually an implementation of a real system within a network.
 That means they are working in a real environment with a specific
type of LOGGING SOFTWARE.
 Basically logging software are used for tracking activities of the user
or system running as a main server system.
 High Risk because hackers are not contacting any simulator
software but they attack a real system which is set up into a real
environment.
 There are very less chances to identify a high interaction honey pot.

19. The Final Step
 As we have studied many aspects of honey pots such as what is the
real honey pots? .
 Honey Nets:
 "A honey net is a network of high interaction honey pots that
simulates a production network and configured such that all
activity is monitored, recorded and in a degree, discreetly
regulated."
 That means only a single honey pot can not be proven efficient and
secure but, when we implement collection of honey pots, into a
network which is as mentioned into above definition is any high
interaction honey pots, then from anywhere and anytime we can
catch the hackers and their actions.

20. Questions & Answers….

21. THANK YOU….
FOR YOUR KIND
ATTENTION….